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Amendments to the Claims : 

This listing of claims replaces all prior versions and listings of claims in the application: 
Listing of Claims : 

1 . (Currently amended) A gateway device dispos e d betw ee n a data c e nt e r and a n e twork 
for thwarting d e nial of s e rvic e attacks on th e data c e nt e r, th e gat e way d e vic e comprises: 

a computing device , disposed between a data center and a network for thwarting an attack 
on the data center, the computing device executing comprising : 

a monitoring process that monitors network traffic through the gateway; 

a communication process that conraiunicates statistics collected in the gateway by &em 
the monitoring process to with a control center and that receives queries or instructions from the 
control center; and 

a filtering process to insert filters on network devices to filter out packets that the 
gateway or the control center d eems to be part of an attack. 

2. (original) The gateway of claim 1 wherein the communication process couples to a 
dedicated link to communicate with the control center over a hardened network. 

3. (original) The gateway of claim 1 wherein the monitoring process in the gateway 
samples network packet flow in the network. 

4. (original) The gateway of claim 1 wherein the gateway is adaptable to be physically 
deployed in line in the network. 

5. (currently amended) The gateway of claim 1 wherein, the gateway is adaptable to 
dynamically install the filters on nearby routers. 
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6. (original) The gateway of claim 1 wherein the monitoring process detects IP traffic and 
determines levels of unusual amounts of IP fragmentation or fragmented IP packets with bad or 
overlapping fragment offsets. 

7. (original) The gateway of claim 1 wherein the monitoring process detects Internet 
Protocol (EP) traffic and determines levels of IP packets that have bad source addresses or 
Internet Control Message Protocol (ICMP) packets with broadcast destination addresses. 

8. (original) The gateway of claim 1 wherein monitoring process detects Internet Protocol 
(IP) traffic and determines levels of Transmission Control Protocol (TCP) or User Datagram 
Protocol (UDP) packets to unused ports. 

9. (original) The gateway of claim 1 wherein monitoring process detects IP traffic and 
determines levels of TCP segments advertising unusually small window sizes, which may 
indicate a load on the data center, or TCP ACK packets not belonging to a known connection. 

10. (original) The gateway of claim 1 wherein monitoring process detects sustained rate 
higher than plausible for a human user over a persistent HTTP connection. 

11. (original) The gateway of claim 1 wherein monitoring process maintains statistical 
summary information of traffic over different periods of time and at different levels of detail. 

12. (original) The gateway of claim 1 1 wherein monitoring process maintains statistics on 
parameters including source and destination host or network addresses, protocols, types of 
packets, number of open connections or of packets sent in either direction. 



13. (original) The gateway of claim 12 wherein monitoring process has configurable 
thresholds and issues a warning when one of the measured parameters exceeds the corresponding 
threshold. 
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14. (original) The gateway of claim 13 wherein monitoring process logs packets. 

15. (original) The gateway of claim 14 wherein monitoring process logs specific packets 
identified as part of an attack to enable an administrator to identify important properties of the 
attack. 

16. (Currently Amended) A method of protecting a victim site during a denial of service 
attack, comprises: 

dispoGing a gat e way d e vic e b e t>v ee n th e victim sit e and a n e twork; 

monitoring network traffic through the a gateway disposed between the victim site and a 
network and measuring heuristics of the network traffic to provide statistics on the network 
traffic; 

communicating the statistics collected in the gateway to a control center; and 
filtering out packets that the gateway or control center deems to be part of an attack. 

17. (original) The method of claim 16 wherein communicating occurs over a dedicated 
link to the control center via a hardened network. 

18. (original) The method of claim 16 wherein monitoring samples network packet flow 
in the network. 

19. (original) The method of claim 16 wherein the gateway is physically deployed in Une 
in the network. 

20. (original) The method of claim 16 wherein filtering fiirther comprises: 
dynamically installing filters on nearby routers via an out of band connection. 



21. (original) The method of claim 16 wherein monitoring further comprises: 
detecting IP traffic and determining levels of unusual amounts of IP fragmentation or 
fragmented IP packets with bad or overlapping fragment offsets. 
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22. (original) The method of claim 16 wherein monitoring further comprises: 
detecting Internet Protocol (IP) traffic and determining levels of IP packets that have bad 

source addresses or Internet Control Message Protocol (ICMP) packets with broadcast 
destination addresses. 

23. (original) The method of claim 16 wherein monitoring further comprises: 
detecting Internet Protocol (IP) traffic and determining levels of Transport Control 

Protocol (TCP) or User Datagram Protocol UDP packets to unused ports. 

24. (original) The method of claim 16 wherein monitoring further comprises: 
detecting IP traffic and determines levels of TCP segments advertising unusually small 

window sizes, which may indicate a load on the data center, or TCP ACK packets not belonging 
to a known connection. 

25. (original) The method of claim 16 wherein monitoring further comprises: 
detecting a sustained rate of reload requests that is higher than plausible for a human user 

over a persistent HTTP connection. 

26. (original) The method of claim 16 wherein monitoring further comprises: 
logging statistics on parameters including source and destination host or network 

addresses, protocols, types of packets, number of open connections or of packets sent in either 
direction. 

27. (original) The method of claim 16 wherein monitoring further comprises: 
issuing a warning to the control center when one of the measured parameters exceeds a 

corresponding configurable threshold. 



28. (original) The method of claim 16 wherein monitoring further comprises: 
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logging specific packets identified as part of an attack to enable an administrator to 
identify important properties of the attack. 

29. (Previously Presented) A computer program product residing on a computer readable 
medium for protecting a victim site during a denial of service attack, comprises instructions for 
causing a computer device coupled at an entry to the site to: 

monitor network traffic sent to the victim site and measure heuristics of the network 
traffic to provide statistics on the network traffic; 

communicate statistics collected in the computer device to a control center; and 
filter out packets that the device or control center deems to be part of an attack. 

30. (original) The computer program product of claim 29 wherein instructions to monitor 
further comprise instructions to: 

sample network traffic flow. 

31 . (original) The computer program product of claim 29 wherein instructions to filter 
further comprise instructions to: 

dynamically install filters on nearby routers via an out of band connection. 

32. (original) The computer program product of claim 29 wherein instructions to monitor 
further comprise instructions to: 

detect IP traffic; and 

determine levels of unusual amounts of IP firagmentation or firagmented IP packets with 
bad or overlapping fragment offsets. 

33. (original) The computer program product of claim 29 wherein instructions to monitor 
further comprise instructions to: 

detect Internet Protocol (IP) traffic; and 

determine levels of IP packets that have bad source addresses or Internet Control 
Message Protocol (ICMP) packets with broadcast destination addresses. 
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34. (original) The computer program product of claim 29 wherein instructions to monitor 
further comprise instructions to: 

detect Internet Protocol (IP) traffic; and 

determine levels of Transport Control Protocol (TCP) or User Datagram Protocol UDP 
packets to unused ports. 

35. (original) The computer program product of claim 29 wherein instructions to monitor 
further comprises instructions to: 

detect IP traffic; and 

determine levels of TCP segments advertising unusually small window sizes, which may 
indicate a load on the data center, or TCP ACK packets not belonging to a known connection. 

36. (original) The computer program product of claim 29 wherein instructions to monitor 
further comprises instructions to: 

detect a sustained rate of reload requests that is higher than plausible for a human user 
over a persistent HTTP connection. 

37. (original) The computer program product of claim 29 wherein instructions to monitor 
further comprises instructions to: 

log statistics on parameters including source and destination host or network addresses, 
protocols, types of packets, number of open connections or of packets sent in either direction. 

38. (original) The computer program product of claim 29 wherein instructions to monitor 
further comprises instructions to: 

issue a warning to the control center when one of the measured parameters exceeds a 
corresponding configurable threshold. 
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39. (original) The computer program of claim 29 further comprising instructions to cause 
the processor to receive communications from a control center to deliver data pertaining to the 
types of traffic passing through the gateway. 



